Privacy Policy

1.1 This policy ("Privacy Policy") describes how StashAway Management (DIFC) Limited (Company No. 3982) ("StashAway") manages Personal Data which is in our possession or under our control. "Personal Data", is defined in the Dubai International Financial Centre ("DIFC") Data Protection Law (DIFC Law No. 5 of 2020)) ("DPL"), and currently refers to any information referring to an identified or Identifiable Natural Person. An "Identifiable Natural Person" is defined in the DPL as a natural living person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one (1) or more factors specific to his biological, physical, biometric, physiological, mental, genetic, economic, cultural or social identity. Personal Data may also include "Special Categories of Personal Data". Special Categories of Personal Data is Personal Data revealing or concerning (directly or indirectly) racial or ethnic origin, communal origin, political, affiliations or opinions, religious or philosophical beliefs, criminal record, trade-union membership and health or sex life ad including genetic data and biometric data where it is used for the purpose of uniquely identifying a natural person.

1.2 We process your Personal Data in accordance with the DPL. We process your Personal Data as required for the performance of your agreement(s) with us to use our services ("Services"), operating any account maintained with us, accessing the online platform operated by us (which is accessible through our website at www.stashaway.ae or through our mobile application) ("Platform"), websites or mobile applications, or otherwise to enable you to provideinformation to or communicate with us. We undertake the processing of your Personal Data as required to comply with Applicable Law (as defined below) that we are subject to. We also process your Personal Data for the purpose of legitimate interests pursued by us or a third party to whom your Personal Data is made available, except in the circumstances where such interests are overridden by your interests or rights as a data subject under the DPL. Please see clause 5 below for a detailed list of the “Purposes” for which we process your Personal Data.

1.3 This Privacy Policy does not supersede or replace any other consents you may have previously or separately provided to us in respect of your Personal Data, and your consent to this Privacy Policy is in addition to any other rights which we may have at law to collect, use, process or disclose your Personal Data.

1.4 The words "we", "us", "our" or any of their derivatives refer to Stashaway and its successors and any novatee, assignee, transferee or purchaser of Stashaway's rights and/or obligations hereunder and any reference to Stashaway includes a reference to such successor, novatee, assignee, transferee or purchaser. The words "you", "your", "yours" or any of their derivatives refer to the person using our Services, operating any account maintained with us, accessing our Platform, website or mobile applications, or otherwise providing information to or communicating with us and shall include, as the context may require, personal representatives (as the case may be).

1.5 This Privacy Policy shall be governed by, and construed in accordance with, the laws of the DIFC. Without prejudice to your rights under any applicable laws, any dispute arising out of or in connection with this Privacy Policy and/or the documents referred to herein, including any question regarding their existence, validity or termination, shall be referred to and finally resolved by the DIFC Courts and both you and we hereby unconditionally and irrevocably submit to the exclusive jurisdiction of the DIFC Courts.

The column on the left sets out StashAway's (i.e. our) Privacy Policy. The Privacy Policy describes how we manage Personal Data in our possession or under our control.

This Summary in this right column provides a short explanation of the Privacy Policy.

This is not legally binding and not comprehensive, and you are encouraged to read and understand the Privacy Policy.

If there are any differences between the Summary and the Privacy Policy, the Privacy Policy prevails.

2.1 We collect, use, disclose, transfer and otherwise process Personal Data about you or Personal Data relating to individuals who are connected or associated with you including but not limited to your legal representatives that you provide to us ("Associated Persons") in accordance with this Privacy Policy.

2.2 The Personal Data that we collect or may collect include:

1. personal contact data including name, telephone number, email address, residential address and correspondence address;
2. specimen signature(s);
3. occupation, education and income levels;
4. identification card or passport number, date of birth, place of birth and other information for the verification of identity;
5. financial and banking information (e.g. Information on net assets, income, expenses, credit history, bank account and banking transactions, securities trading account);
6. images and voice recordings of our conversations with you;
7. tax and insurance information;
8. information about your risk profile, investments, investment objectives, knowledge and experience and/or business interests and assets;
9. personal opinions made known to us (e.g. your feedback or responses to any surveys);
10. browsing history, patterns or other unique information;
11. your internet protocol address and information associated with such address;
12. criminal record checks;
13. any other Personal Data reasonably required in order for us to provide the services requested by you; and
14. any other Personal Data permitted by or required to comply with any applicable local or foreign laws, rules, acts, regulations, subsidiary legislation notices, notifications, circulars, licence conditions, directions, requests, requirements, guidelines, directives, codes, information papers, practice notes, demands, guidance and/or decisions of any national, state or local government, any agency, exchange, regulatory or self-regulatory body, law enforcement body, court, central bank or tax revenue authority or any other authority whether in the DIFC, Singapore or elsewhere, whether having the force of law or not (including any intergovernmental agreement between the governments or regulatory authorities of two or more jurisdictions or otherwise), as may be amended from time to time ("Applicable Laws") and our internal control and compliance policies.

Section 2 sets out the type of Personal Data that we collect or may collect from you.

3.1 The Personal Data has/or will be obtained from the following sources, where applicable, or such other sources which we may see fit from time to time:

1. information provided or submitted by you through among others, your dealings and agreements with us, which includes information provided when registering as a user, providing information regarding any account which you may open with us, providing answers to security questions, completing any confirmations, declarations or forms, or through your utilization of any of our Services, accessing or viewing our Platform;
2. as applicable, publicly available or publicly accessible information; and
3. such other written, electronic or verbal communications or documents delivered to us prior to and during the course of our contractual or pre-contractual dealings with you.
4. screening service providers such as LexisNexis.

Section 3 sets out where we may obtain Personal Data from.

4.1 The accuracy of your Personal Data depends largely on the information you provide to us, you should inform us as soon as practicable if there are any errors in the Personal Data or if there have been any changes to the Personal Data.

4.2 We intend to keep the Personal Data accurate and up-to-date, and retain the Personal Data no longer than necessary for the above purposes or as required or permitted by any Applicable Law (including the DPL).

As the accuracy of your Personal Data depends largely on the information you provide to us, you should inform us as soon as practicable if there are any errors in the Personal Data or if there have been any changes to the Personal Data.

5.1 We may use your Personal Data for our business purposes, including the provision and continuing operation of the Platform and the Services provided to you. This includes, the following purposes ("Purposes"):

1. provision of the Services as requested by you;
2. carrying out any transactions on your behalf contemplated on the Platform and the Services thereto;
3. assessing and processing applications, instructions or requests from you;
4. communicating with you, including providing you with updates on changes to our Services;
5. to verify your identity for the purposes of providing Services to you;
6. conducting due diligence checks, screenings or credit checks as may be required by any Applicable Laws or our internal policies and procedures;
7. for the specific purpose for which it was volunteered or provided to us;
8. to detect and protect us or any third parties against negligence, fraud, theft and other illegal activities;
9. to understand your needs and preferences;
10. improving the content, appearance and utility of the Platform;
11. to manage and develop infrastructure and business operations;
12. to administer any account which you may open with us;
13. to process payments;
14. to comply with our internal policies and procedures;
15. to respond to queries or feedback;
16. to address or investigate any complaints, claims or disputes;
17. as permitted by any Applicable Laws;
18. to comply with any Applicable Laws or any request from any relevant governmental or regulatory authority;
19. financial reporting, regulatory reporting, management reporting, risk management, audit and record keeping purposes;
20. enforcing obligations owed to us;
21. seeking professional advice, including legal advice;
22. any other reasonable purposes in connection with the provision of our Services;
23. providing you with marketing materials in connection with the services we may provide;
24. fulfilling any purpose directly related to the above Purposes; or
25. any other purposes that are appropriate or authorized by any Applicable Laws.

Section 5 sets out how we may use your Personal Data. This includes using your Personal Data for the provision of our Services / Platform to you, for marketing purposes, and to comply with regulatory requirements.

6.1 We may from time to time disclose and share your Personal Data to our directors, officers, employees, representatives, agents or delegates or any third parties, whether located in DIFC, Singapore or otherwise, to carry out the Purposes. This includes, disclosing and sharing your Personal Data with the following:

1. any of our directors, officers, employees, representatives, agents or delegates;
2. any of our shareholders or related corporations, and any of their successors or assigns, and their directors, officers, employees, representatives, agents or delegates;
3. our professional advisers, consultants and auditors;
4. any service providers, agents, contractors, delegates, suppliers or third parties which we may appoint from time to time to provide us with services in connection with the Platform or the Services that we offer to you, and their directors, officers, employees, representatives, agents or delegates;
5. any sub-contractors which any of our service providers, agents, suppliers, delegates or contractors may appoint from time to time to provide them with services in connection with the Platform or the Services that we offer to you, and their directors, officers, employees, representatives, agents or delegates;
6. anyone who takes over or may take over all or part of our rights or obligations under any agreement we have with you or anyone any agreement we have with you (or any part thereof) is transferred to or may be transferred to;
7. any person who we believe in good faith to be your legal advisers or other professionals;
8. any relevant governmental or regulatory authority, in so far as we need to do so to keep to any Applicable Laws, or which we in good faith believe that we should keep to; and
9. pursuant to a request by any relevant governmental or regulatory authority (regardless of the reason for such request and whether such request is exercised under a court order or otherwise);
10. parties which assist us in carrying out the Purposes laid out above in this Privacy Policy; and
11. any person to whom we are, in our belief in good faith, under an obligation to make disclosure as required by any Applicable Laws, provided that:
(1)in the case of disclosures under any of the circumstances in (a) to (f), we shall procure that the recipient is subject to the same duty of confidence; and (2) In the case of disclosures under any of the circumstances in (h) and (k), we shall disclose such Personal Data in accordance with the terms of the DPL. We shall exercise reasonable caution and diligence to determine the validity and proportionality of any request and where reasonably practicable obtain appropriate written and binding assurances from the recipient of the Personal Data in relation to the disclosures.

We may also disclose and share your Personal Data with other persons in connection with the Purposes described in Section 5.

7.1 You may, at any time, withdraw your consent to receive marketing information from us. If you wish to do so, please click on the “Unsubscribe” option available on all marketing/newsletter emails that you may receive from us or contact our Data Protection Officer at dataprotection@stashaway.com.

7.2 You may also withdraw consent and request us to stop collecting, using and/or disclosing your personal data for any or all of the Purposes described in Section 5 by submitting your request in writing or via email to our Data Protection Officer.

7.3 Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within ten (10) business days of receiving it.

7.4 Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our Services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described in Section 7.2 above.

7.5 Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclose without consent is permitted or required under applicable laws.

You have the right to withdraw any consent provided by you to receive any marketing information from us or to the collection, usage and/or disclosure of your personal data in connection with the Purposes described in Section 5. We will seek to process your withdrawal request within ten (10) business days. However, a withdrawal of your consent to collect, use and/or disclosure your personal data in connection with the Purposes described in Section 5 means that we may not be able to continue to provide you with our Services.

We may transfer, store, process and/or deal with your Personal Data outside the DIFC for one or more of the Purposes set out above. In doing so, we will comply with the DPL and other applicable data protection and privacy laws.

WWe may transfer your Personal Data outside the DIFC. If we do, we will comply with applicable data protection and privacy laws.

Your Personal Data is retained as long as the purpose for which it was collected remains and until it is no longer necessary for any other business purposes or to comply with any Applicable Laws (including the DPL). This means that we will normally retain your Personal Data for a period of 6 years following the end of our relationship with you.

We may retain your Personal Data for as long as it is necessary for the purpose it was collected, for business purposes or to comply with applicable laws.

10.1 To safeguard your Personal Data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures such as:

1. minimised collection of personal data;
2. authentication and access controls (such as good password practices, need-to-basis for data disclosure, etc.);
3. encryption of data;
4. data anonymization;
5. up-to-date antivirus protection;
6. regular patching of operating system and other software;
7. securely erase storage media in devices before disposal;
8. web security measures against risks;
9. usage of one time password(“OTP”)/ 2 factor authentication (“2FA”)/ multi-factor authentication (“MFA”) to secure access, and;
10. security review and testing performed regularly.

10.2 You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.

We have introduced administrative, physical and technical measures to ensure the protection of your Personal Data with us.

You have a number of key rights under the DPL. We have set these out below:

11.1 You may also request access to Personal Data we hold, or request the rectification of any inaccurate data. If you would like to do so, please contact our Data Protection Officer at dataprotection@stashaway.com.

11.2 Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request.

11.3 We will respond to your request as soon as reasonably possible. In general, our response will be within thirty (30) days. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the DPL).

You may contact our Data Protection Officer to access or request changes to your Personal Data.

12.1 Our Platform, websites and mobile applications (“apps” or an “app”) use cookies. A cookie is a small text file placed on your computer, system or mobile device when you visit a web site or use an app. Cookies collect information about users and their visit to the web site or use of the app, such as their Internet protocol (IP) address, how they arrived at the web site (for example, through a search engine or a link from another web site) and how they navigate within the web site or app. We use cookies and other technologies to facilitate your internet sessions and use of our apps, offer you products and/or services according to your preferred settings, track use of our web sites and apps and to compile statistics about activities carried out on our web sites and/or through our apps.

12.2 A pixel tag, also known as a web beacon, is an invisible tag placed on certain pages of our web site but not on your computer. Pixel tags are usually used in conjunction with cookies and are used to monitor the behaviour of users visiting the web site.

12.3 You may set up your web browser to block cookies which will in turn disable the pixel tags from monitoring your web site visit. You may also remove cookies stored from your computer or mobile device. However, if you do block cookies and pixel tags, you may not be able to use certain features and functions of our web sites or the Platform.

12.4 We also use analytics programs such as Google Analytics for web analytics purposes to manage and improve our websites, mobile applications, the Platform and/or our Services. Features of Google Analytics that we may use include Remarketing with Google Analytics, Google Display Network Impression Reporting, and Google Analytics Demographics and Interest Reporting. Accordingly, your Personal Data may be collected for reports such as impression reporting, demographic reporting, interest reporting and to assist with tailoring our online advertising to provide you with a better experience. You may refer to this link for more information about how your Personal Data is collected through Google Analytics.

12.5 We and our third-party vendors, including Google, use first-party cookies (such as the Google Analytics cookie) or other first-party identifiers, and third-party cookies (such as Google advertising cookies) or other third-party identifiers together, to inform, analyse, optimise, and serve custom ads based on your interests, searches and prior usage patterns when visiting our websites, mobile applications and Platform, and for other market research analysis purposes such as impression reporting and how your interactions with these ads are related to visits to our websites, mobile applications and Platform, amongst others. As a consequence, third party vendors may show our ads on other websites or mobile applications. We neither support nor endorse the goals, causes or statements of these websites or mobile applications which display our ads.

12.6 Using the Google Ad Settings, you may control the ads you view, block specific advertisers, learn how ads are selected for you, and opt-out of Google Analytics for Display Advertising. To opt out from any collection or use of information by Google Analytics, please download and install the Google Analytics Opt-Out Browser Add-on available at this link. By opting out, you will not be subject to online advertising or marketing analysis by Google Analytics and you will no longer receive ads tailored to your browsing patterns and usage preferences.

We may collect information, your Personal Data, through cookies on our Platform, website and mobile applications. We use analytics programs such as Google Analytics to manage and improve our websites, mobile applications, the Platform and/or our Services. We may with the help of Google Analytics use your browsing behaviour and prior usage patterns together with any other Personal Data previously provided by you in accordance with this Privacy Policy.

Our web sites may contain links to other web sites which are not maintained by us. This Privacy Policy only applies to our websites, mobile applications, the Platform and/or our Services. When visiting these third-party web sites, you should read their privacy policies which will apply to your use of the web sites.

This Privacy Policy does not apply to third party web sites which may be linked to our web sites.

Our Privacy Policy may change from time to time. We will post any privacy policy changes on this page, for which you will be notified. If you continue to use our Services, operate any account maintained with us, access our Platform, websites or mobile applications, and/or otherwise provide information to or communicate with us, you are deemed to have agreed to such changes without reservation.

The Privacy Policy is subject to changes made by us; and if you continue to use our Services, operate any account maintained with us, access our Platform, websites or mobile applications, and/or otherwise provide information to or communicate with us, you will be treated as if you have agreed to the changes.